Re: unofficial package repository and the bugs system

To: Jim Pick <jim@jimpick.com>
Cc: debian-devel@lists.debian.org
Subject: Re: unofficial package repository and the bugs system
From: Fabrizio Polacco <fpolacco@icenet.fi>
Date: Sat, 25 Oct 1997 00:49:34 +0300
Message-id: <[🔎] 345117EE.7C99EE2E@icenet.fi>
References: <[🔎] m0xO5gw-00IS0dC@golem.pixar.com> <[🔎] m0xOAOh-00IS0dC@golem.pixar.com> <[🔎] 87d8kx9vs6.fsf@fleming.jimpick.com> <[🔎] m0xOBQx-0000aHC@miles.econ.queensu.ca> <[🔎] 87afg19trr.fsf@fleming.jimpick.com> <[🔎] 344F1609.343DAA67@icenet.fi> <[🔎] 87wwj41k3w.fsf@fleming.jimpick.com> <[🔎] 34509A59.427C8A96@icenet.fi> <[🔎] 87vhynauxj.fsf@fleming.jimpick.com>

Jim Pick wrote:
> 
> Fabrizio Polacco <fpolacco@icenet.fi> writes:
> 
> > As default we should have two keys: debian.org and non-us.debian.org
> 
> I don't think that is really necessary if we have the packages signed
> by the maintainers, and distribute a maintainer key ring.  Plus, if we
> do it that way, it is much easier to take a maintainers packages out
> of circulation if he/she violates our trust - just remove their key
> from the keyring.

Users adds the keys we distribute to their own keyrings. Removing one
key from the keyring we distribute isn't enough: it should be revoked
and AFAIK only the "owner" can do that, and it's not likely to happen,
because that is their personal key and they probably want to continue to
use it. People would also get keys from the keyservers, without thinking
that they could be used to validate packages.

I think that the maintainer's signature only certify to Debian that the
package really came from that person (and Debian knowns if he/she is a
trusted maintainer or not), but doesn't certify to users that the
package came from Debian or not.

As several maintainers do, I also upload my packages to an ftp site
that's not under Debian's control. That package could be rejected or the
tester could find there a severe security flaw, and the package won't
find a way to the ftp hierarchy. But a copy, with my signature as a
trusted Debian maintainer, still was available and could have been
downloaded by an unaware user.

No, I think that they should be separate certifications because they
fill separate needs.

Fabrizio
-- 
| fpolacco@icenet.fi    fpolacco@debian.org    fpolacco@pluto.linux.it
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> Just because Red Hat do it doesn't mean it's a good idea. [Ian J.]

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: unofficial package repository and the bugs system
  - From: bruce@pixar.com (Bruce Perens)
- Re: unofficial package repository and the bugs system
  - From: bruce@pixar.com (Bruce Perens)
- Re: unofficial package repository and the bugs system
  - From: Jim Pick <jim@jimpick.com>
- Re: unofficial package repository and the bugs system
  - From: Dirk Eddelbuettel <edd@rosebud.sps.queensu.ca>
- Re: unofficial package repository and the bugs system
  - From: Jim Pick <jim@jimpick.com>
- Re: unofficial package repository and the bugs system
  - From: Fabrizio Polacco <fpolacco@icenet.fi>
- Re: unofficial package repository and the bugs system
  - From: Jim Pick <jim@jimpick.com>
- Re: unofficial package repository and the bugs system
  - From: Fabrizio Polacco <fpolacco@icenet.fi>
- Re: unofficial package repository and the bugs system
  - From: Jim Pick <jim@jimpick.com>

Prev by Date: Re: Let's be friends. (Non-maintainer uploads made easier)
Next by Date: Re: unofficial package repository and the bugs system
Previous by thread: Re: unofficial package repository and the bugs system
Next by thread: Re: unofficial package repository and the bugs system
Index(es):
- Date
- Thread